17 matches found
CVE-2026-32604
Spinnaker is an open source, multi-cloud continuous delivery platform. In versions prior to 2026.1.0, 2026.0.1, 2025.4.2, and 2025.3.2, a bad actor can execute arbitrary commands very simply on the clouddriver pods. This can expose credentials, remove files, or inject resources easily. Versions...
EUVD-2026-23963
Spinnaker: RCE when using gitrepo artifact types due to improper sanitization of user input on branch and paths...
GHSA-X3J7-7PGJ-H87R Spinnaker: RCE when using gitrepo artifact types due to improper sanitization of user input on branch and paths
Spinnaker is an open source, multi-cloud continuous delivery platform. In versions prior to 2026.1.0, 2026.0.1, 2025.4.2, and 2025.3.2, a bad actor can execute arbitrary commands very simply on the clouddriver pods. This can expose credentials, remove files, or inject resources easily. Versions...
CVE-2026-32604
Spinnaker is an open source, multi-cloud continuous delivery platform. In versions prior to 2026.1.0, 2026.0.1, 2025.4.2, and 2025.3.2, a bad actor can execute arbitrary commands very simply on the clouddriver pods. This can expose credentials, remove files, or inject resources easily. Versions...
CVE-2026-32604
Spinnaker is an open source, multi-cloud continuous delivery platform. In versions prior to 2026.1.0, 2026.0.1, 2025.4.2, and 2025.3.2, a bad actor can execute arbitrary commands very simply on the clouddriver pods. This can expose credentials, remove files, or inject resources easily. Versions...
PT-2026-33842
Name of the Vulnerable Software and Affected Versions Spinnaker versions prior to 2026.1.0 Spinnaker versions prior to 2026.0.1 Spinnaker versions prior to 2025.4.2 Spinnaker versions prior to 2025.3.2 Description An issue in the clouddriver pods allows a bad actor to execute arbitrary commands...
CVE-2026-25534
Impact Spinnaker updated URL Validation logic on user input to provide sanitation on user inputted URLs for clouddriver. However, they missed that Java URL objects do not correctly handle underscores on parsing. This led to a bypass of the previous CVE CVE-2025-61916 through the use of carefully...
CVE-2026-25534 Spinnaker clouddriver and orca URL validation bypass via underscores in hostnames
Impact Spinnaker updated URL Validation logic on user input to provide sanitation on user inputted URLs for clouddriver. However, they missed that Java URL objects do not correctly handle underscores on parsing. This led to a bypass of the previous CVE CVE-2025-61916 through the use of carefully...
CVE-2026-25534 Spinnaker clouddriver and orca URL validation bypass via underscores in hostnames
Impact Spinnaker updated URL Validation logic on user input to provide sanitation on user inputted URLs for clouddriver. However, they missed that Java URL objects do not correctly handle underscores on parsing. This led to a bypass of the previous CVE CVE-2025-61916 through the use of carefully...
CVE-2026-25534
CVE-2026-25534 affects Spinnaker clouddriver and Orca URL validation, where underscores in hostnames were not properly handled by Java URL parsing, bypassing prior URL validation checks. Public sources (NVD/Red Hat/Snyk/OSV) confirm the impact and note that patches have been merged to be released...
CVE-2026-25534 Spinnaker clouddriver and orca URL validation bypass via underscores in hostnames
Impact Spinnaker updated URL Validation logic on user input to provide sanitation on user inputted URLs for clouddriver. However, they missed that Java URL objects do not correctly handle underscores on parsing. This led to a bypass of the previous CVE CVE-2025-61916 through the use of carefully...
GHSA-8R8J-GFHG-FW38 Spinnaker clouddriver and orca URL validation bypass via underscores in hostnames
Impact Spinnaker updated URL Validation logic on user input to provide sanitation on user inputted URLs for clouddriver. However, they missed that Java URL objects do not correctly handle underscores on parsing. This led to a bypass of the previous CVE CVE-2025-61916 through the use of carefully...
Spinnaker clouddriver and orca URL validation bypass via underscores in hostnames
Impact Spinnaker updated URL Validation logic on user input to provide sanitation on user inputted URLs for clouddriver. However, they missed that Java URL objects do not correctly handle underscores on parsing. This led to a bypass of the previous CVE CVE-2025-61916 through the use of carefully...
PT-2026-25777
Impact Spinnaker updated URL Validation logic on user input to provide sanitation on user inputted URLs for clouddriver. However, they missed that Java URL objects do not correctly handle underscores on parsing. This led to a bypass of the previous CVE CVE-2025-61916 through the use of carefully...
Server-side Request Forgery (SSRF)
Overview io.spinnaker.orca:orca-clouddriver is a Spinnaker Orca Affected versions of this package are vulnerable to Server-side Request Forgery SSRF via improper restrictions on user-supplied URLs when fetching data. An attacker can access internal resources, extract sensitive authentication data...
Server-side Request Forgery (SSRF)
Overview io.spinnaker.clouddriver:clouddriver-aws is a Spinnaker Clouddriver Affected versions of this package are vulnerable to Server-side Request Forgery SSRF via improper restrictions on user-supplied URLs when fetching data. An attacker can access internal resources, extract sensitive...
Path Traversal
io.spinnaker.clouddriver:clouddriver-appengine is vulnerable to path traversal. The utility to extract files locally for deployment does not validate the paths, allowing a local attacker to override files on a particular container resulting in path traversal vulnerability. Man in the middle attac...